Privacy Policy
1. Introduction
This Privacy Policy explains how your personal data is collected, used, stored, and protected when you interact with Andrew Robin Selway, trading as:
HeadFirst Hypnotherapy®
Andrew Selway Counselling & Psychotherapy
This includes:
Visiting my websites
Making an enquiry
Booking appointments
Attending free introductory calls
Attending Initial Consultations
Engaging in counselling, psychotherapy or Solution-Focused Hypnotherapy services
Attending Parent/Guardian Calls (HeadFirst Hypnotherapy® only)
Downloading resources or joining mailing lists
Communicating via email, telephone, voicemail, messaging platforms such as WhatsApp, social media, professional bodies, online directories, or online platforms
I, Andrew Robin Selway, am the data controller responsible for your personal data.
I provide services under the trading names HeadFirst Hypnotherapy® and Andrew Selway Counselling & Psychotherapy.
Whilst services are offered under different trading names, client information may be processed, stored and managed using shared practice management, communication, record-keeping, scheduling and administrative systems operated by me as the data controller.
I am registered with the Information Commissioner’s Office (ICO) and process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable UK data protection legislation.
I take your privacy and confidentiality seriously and am committed to protecting your information appropriately and transparently.
2. How You May Contact Me
You may contact me via:
Website contact forms
Email
Telephone
Messaging platforms such as WhatsApp
Voicemail
Social media platforms (e.g. Instagram, Facebook, LinkedIn)
Professional bodies and online directories (e.g. Counselling Directory, Hypnotherapy Directory)
Cliniko online booking system
These platforms may sometimes be used for initial enquiries before individuals are directed to book appointments through my practice management systems or websites.
Please note that when you contact me through third-party platforms, your information may also be subject to their own privacy policies and terms.
3. Messaging and Communication Platforms
You may contact me via messaging platforms such as WhatsApp before or during our work together.
These methods are primarily used for:
Initial enquiries
Appointment booking or changes
Administrative communication
Brief service-related communication
Messaging platforms are not intended for sharing sensitive clinical, counselling, psychotherapy, or health-related information.
While convenient, these platforms may not be fully secure. I therefore recommend avoiding the sharing of sensitive personal, clinical or health information through messaging services or social media platforms.
Please avoid leaving sensitive clinical or health-related information via voicemail where possible.
Where appropriate, more sensitive information will be discussed during consultations, counselling sessions, psychotherapy sessions, hypnotherapy appointments, or through secure systems.
If information is shared through communication platforms, it may form part of your client record where relevant to the provision of services, safeguarding, risk management, administration, or professional record keeping.
4. Information I Collect
Website and General Enquiries
When you contact me via my websites, social media, professional directories, email, voicemail, or messaging platforms, I may collect:
Name
Email address
Telephone number
Any information you choose to provide
New client enquiries may also be received through social media platforms, professional bodies, or online directories. Individuals may then be directed to my website, booking system, or practice management system to arrange an introductory call, consultation, or appointment.
Free Introductory Calls – Counselling & Psychotherapy
Individuals seeking counselling or psychotherapy may choose to arrange a free 15-minute introductory telephone call.
The purpose of this call is to:
Discuss what has brought you to therapy
Answer initial questions
Explore whether working together feels appropriate
Discuss practical arrangements where relevant
This introductory call is not a counselling or psychotherapy session and no therapeutic intervention is provided.
Information shared during this call may be recorded where necessary for administrative, safeguarding, suitability, risk management, or professional record-keeping purposes.
If you choose to proceed with counselling or psychotherapy services, additional information may be collected before your first appointment through intake forms, consent forms, therapy agreements, questionnaires, or other documentation.
Parent / Guardian Calls – HeadFirst Hypnotherapy®
Before working with clients under 18 through HeadFirst Hypnotherapy®, I require a Parent/Guardian Call.
During this call, I may collect:
Parent or guardian details
Child or young person's details
Relevant background information
Initial safeguarding information
Initial suitability information
Relevant health and wellbeing information
This call is not a hypnotherapy session but forms part of the information-gathering and suitability assessment process.
I currently work with:
Clients aged 16+ for general hypnotherapy services
Clients aged 15+ for exam revision support
I do not currently provide counselling or psychotherapy services to individuals under the age of 18.
Initial Consultations – HeadFirst Hypnotherapy®
Before hypnotherapy sessions begin, clients attend an Initial Consultation.
Initial Consultations booked online through my website may be processed using my integrated booking and payment systems.
The Initial Consultation is an assessment, information-gathering and psychoeducational session designed to:
Assess suitability
Gather relevant information
Discuss goals and expectations
Explain the Solution-Focused Hypnotherapy process
The Initial Consultation is not a hypnotherapy session.
During this process, I may collect:
Personal details
Relevant health and wellbeing information
Background information
Risk-related information
Safeguarding information where appropriate
Clients may also complete:
Intake forms
Consent forms
Questionnaires
Assessment forms
These may be completed electronically through my practice management systems.
Counselling & Psychotherapy Appointments
Where individuals proceed with counselling or psychotherapy services, I may collect:
Personal details
Contact details
Emergency contact details
GP details
Relevant health information
Medication information
Presenting issues
Risk-related information
Safeguarding information where appropriate
Intake forms
Consent forms
Therapy Agreements / Terms and Conditions
Questionnaires or assessment forms
These documents are normally provided before the first appointment wherever practicable.
The first counselling or psychotherapy appointment is the client's first therapeutic session and may include both assessment and therapeutic work.
Ongoing Counselling, Psychotherapy and Hypnotherapy Services
If you proceed with counselling, psychotherapy or hypnotherapy services, I may collect and maintain:
Session notes
Progress information
Relevant clinical or wellbeing information
Safeguarding or risk-related notes where necessary
Correspondence relating to your care, wellbeing or therapeutic work where appropriate
Some of this information may constitute Special Category Data under UK GDPR (for example health-related information) and is handled with additional care and confidentiality.
Emergency Contact Details
Where appropriate, I may collect emergency contact details to support your safety and wellbeing.
Financial Information
Payments for services may be made via:
Bank transfer
Stripe
Other approved payment methods
I may retain:
Invoice information
Payment confirmations
Transaction records
I do not store full card details.
Mailing Lists and Downloads
If you download a resource, subscribe to a mailing list, register for updates, or request information from either trading name, I may collect:
Your name
Your email address
You may then receive:
Information relevant to the requested resource
Service updates
Occasional marketing communications
You may unsubscribe at any time.
5. Information About Third Parties
During enquiries, consultations, counselling sessions, psychotherapy sessions, hypnotherapy appointments, or other communications, you may choose to share information relating to other individuals (for example partners, family members, employers, schools, healthcare professionals, or colleagues).
I ask that you only share information that is relevant and necessary to your support or the provision of services.
Any third-party information disclosed during our work together will be treated confidentially and handled in accordance with this Privacy Policy.
6. Legal Basis for Processing Personal Data
Your personal data is processed under one or more of the following lawful bases:
Contractual Necessity
To provide services you have requested, including:
Introductory calls
Initial Consultations
Counselling services
Psychotherapy services
Hypnotherapy services
Appointment booking and administration
Legitimate Interests
To:
Assess suitability for services
Maintain professional records
Operate a safe and effective practice
Communicate appropriately with clients
Protect client welfare and safety
Manage appointments and business administration
Legal Obligations
To comply with:
Safeguarding obligations
Financial and accounting requirements
Insurance requirements
Regulatory obligations
Professional and ethical responsibilities
Court orders or legal requirements where applicable
Consent
Where consent is required, including:
Marketing communications
Contacting GPs or healthcare professionals
Certain disclosures of information
You may withdraw consent at any time where processing relies upon consent.
Special Category Data
Where health information or other Special Category Data is processed, I rely on the lawful bases available under UK GDPR and the Data Protection Act 2018, including the provision of health-related, counselling, psychotherapy and therapeutic services and the management of professional records.
Recognised Legitimate Interests
In certain circumstances, personal data may be processed where recognised in law as being in the public interest, including:
Safeguarding
Preventing harm
Emergency situations
Protection of vulnerable individuals
7. Agreement to This Privacy Policy
This Privacy Policy is available on my websites and may also be provided through my practice management systems, booking systems, intake forms, consent documentation, and other client communications.
Individuals may be asked to acknowledge this Privacy Policy when making an enquiry, booking appointments, completing intake forms, or engaging with services.
Clients receiving counselling, psychotherapy or hypnotherapy services may also be required to complete relevant intake documentation, consent forms, and Therapy Agreements / Terms and Conditions appropriate to the service being provided.
Where practicable, these documents will be provided before the first appointment. Clients are responsible for reviewing the information provided and raising any questions or concerns before services begin.
Attendance at an appointment, completion of intake documentation, provision of personal information, and/or continued engagement with services may be treated as confirmation that the individual has been provided with access to the relevant documentation and has had a reasonable opportunity to review it.
Important aspects of the therapeutic agreement, including confidentiality, its limits, data protection, record keeping, safeguarding, cancellation policies, boundaries, and any service-specific considerations, may also be reviewed and discussed during appointments and throughout the professional relationship as part of the ongoing informed consent process.
The completion of documentation does not replace the ongoing discussion of consent, confidentiality, boundaries, suitability, or risk throughout the professional relationship.
I reserve the right to postpone, decline, suspend, or discontinue services where required documentation has not been completed, where sufficient information has not been provided to assess suitability, or where I believe it is not appropriate, safe, ethical, or within my professional competence to proceed.
8. How Your Data Is Used
Your personal data may be used to:
Respond to enquiries
Arrange and manage appointments
Assess suitability for counselling, psychotherapy or hypnotherapy services
Provide safe and appropriate services
Maintain professional records
Communicate with you regarding appointments or services
Manage risk and safeguarding concerns where appropriate
Meet legal, ethical, professional, regulatory and insurance obligations
Process payments and maintain financial records
Improve services using anonymised information where appropriate
I only collect and process the minimum amount of information necessary for the purposes for which it is required.
9. Confidentiality
Confidentiality is a fundamental part of my professional practice.
Information shared during counselling, psychotherapy, hypnotherapy, consultations, introductory calls, or related communications will be treated confidentially and handled in accordance with applicable legal, ethical, professional, and regulatory requirements.
Your information will not normally be shared with third parties unless:
You have provided consent
There is a legal obligation to do so
There is a safeguarding concern
There is a risk of serious harm to yourself or others
Disclosure is necessary to protect the welfare of a child or vulnerable person
Disclosure is otherwise required by law, court order, regulatory requirement, or professional obligation
Where appropriate and practicable, I will seek to discuss any proposed disclosure with you before information is shared.
10. Contacting Your GP or Healthcare Professional
Where appropriate for your safety, wellbeing, suitability, or ongoing care, I may:
Request your GP details
Request your consent to contact your GP or another healthcare professional
Inform them that we are working together
Seek information relevant to your care, wellbeing, suitability, or risk management
Request confirmation that it is appropriate to proceed with services where necessary
This may occur where:
Significant risk factors are identified
Safeguarding concerns arise
Medical or psychological considerations require clarification
Additional support is clinically, ethically, or professionally appropriate
Information is required to assess suitability for services
Your consent will normally be sought before contact is made unless there is a legal, safeguarding, ethical, or regulatory obligation that overrides confidentiality.
If consent is not provided where I believe contact is necessary to assess suitability, manage risk, protect wellbeing, fulfil professional obligations, or provide services safely and ethically, I reserve the right to decline, postpone, suspend, or discontinue services.
11. Communication With Parents, Guardians and Other Professionals
For clients under 18 receiving services through HeadFirst Hypnotherapy®, communication may take place with parents or legal guardians where appropriate.
I do not currently provide counselling or psychotherapy services to individuals under the age of 18.
Where appropriate and with consent, communication may also occur with:
GPs
CAMHS
Schools, colleges or universities
Healthcare professionals
Social care services
Other professionals involved in a client's care, support, safeguarding or wellbeing
Unless safeguarding, legal, ethical, regulatory, or professional obligations apply, consent will normally be sought before information is shared.
Only the minimum information reasonably necessary for the intended purpose will be disclosed.
12. Supervision
I engage in regular professional supervision in accordance with the ethical requirements of my professional memberships, training organisations, and professional standards.
The purpose of supervision is to:
Support safe and ethical practice
Maintain professional standards
Promote reflective practice
Ensure appropriate client care and professional accountability
Support risk management and safeguarding responsibilities
Client work may be discussed within supervision where appropriate; however:
Discussions are anonymised wherever possible
Identifiable personal information is not routinely disclosed
Only information necessary for supervisory purposes is shared
Supervisors are themselves bound by professional, ethical, and confidentiality obligations.
13. Professional and Legal Support
In certain circumstances, relevant information may be shared with:
My professional supervisor
Professional indemnity insurers
Legal advisers
Accountants or professional advisers where necessary
Professional membership organisations
Regulatory, safeguarding, or legal bodies
Courts, tribunals, or law enforcement agencies where legally required
Where possible and appropriate:
Information will be anonymised
Only the minimum necessary information will be disclosed
Confidentiality will be maintained as far as reasonably possible
Information may be disclosed where necessary to comply with legal, regulatory, ethical, safeguarding, insurance, or professional obligations.
14. Data Storage and Third-Party Processors
To operate my practice safely and efficiently, I use a number of trusted third-party providers. These organisations act as data processors on my behalf where applicable.
Practice Management
Cliniko – appointment scheduling, client records, intake forms, consent forms, questionnaires, telehealth services, clinical notes, safeguarding notes, risk assessments, invoices, and practice administration.
Websites and Email Marketing
Squarespace – website hosting, website forms, analytics integration, email campaigns, booking integration, and website administration.
Payments and Financial Processing
Stripe – secure online payment processing
Tide Business Banking – bank transfer payments and business banking services
Xero – accounting, bookkeeping, and financial record management
Communication and Administration
Google Workspace (including Gmail, Google Calendar and Google Meet) – email communication, calendar management, online appointments, document management, and administration.
Messaging platforms such as WhatsApp – appointment-related and administrative communication.
File Transfer Services
Where necessary, services such as WeTransfer or similar secure file transfer platforms may be used to send resources, documents, recordings, or information.
Professional Directories and Referral Sources
Professional directories, referral platforms, and professional body websites may be used to facilitate enquiries and referrals.
These providers are selected carefully and are expected to comply with applicable data protection legislation.
Only information reasonably necessary for the relevant purpose will be processed through these systems.
Whilst reasonable efforts are made to use reputable providers, I am not responsible for the independent privacy practices of third-party organisations.
Some providers may process data outside the United Kingdom. Where this occurs, appropriate safeguards are expected to be in place in accordance with applicable data protection legislation.
15. International Clients
I may work with clients located outside the United Kingdom.
Where personal data is transferred internationally, reasonable steps are taken to ensure that appropriate safeguards and protections are in place in accordance with applicable data protection legislation.
Clients located outside the United Kingdom are responsible for ensuring that it is lawful for them to receive counselling, psychotherapy, hypnotherapy, or related services within their country or jurisdiction.
All services are provided from England and are administered in accordance with applicable UK legislation, including UK data protection law.
Where applicable, matters relating to the provision of services shall be interpreted in accordance with the laws of England and Wales. Further provisions relating to governing law and jurisdiction are contained within the relevant Therapy Agreement and Terms and Conditions.
16. Data Security
I operate a primarily digital practice and do not routinely store paper records.
Your information is stored securely using encrypted, password-protected, and access-controlled systems where available.
Access to client information is restricted to me unless disclosure is required for legal, safeguarding, regulatory, insurance, ethical, or professional reasons.
Appropriate technical and organisational measures are in place to protect personal data from:
Unauthorised access
Loss
Misuse
Disclosure
Alteration
Accidental destruction
Whilst reasonable steps are taken to protect your information, no method of electronic storage, transmission, or communication can be guaranteed to be completely secure.
By engaging with services, you acknowledge the inherent risks associated with electronic communication and digital record keeping.
In the event of a personal data breach, appropriate action will be taken in accordance with applicable data protection legislation and Information Commissioner's Office (ICO) reporting requirements.
17. Data Retention
Personal data is retained only for as long as necessary to fulfil professional, legal, safeguarding, insurance, regulatory, business, and ethical obligations.
Parent / Guardian Calls
Where no further engagement occurs:
Records are generally retained for up to 12 months.
Introductory Calls
Where no appointment is booked or no ongoing professional relationship develops:
Records are generally retained for up to 12 months.
Initial Consultations
Where no ongoing hypnotherapy services occur:
Records are generally retained for up to 12 months.
Adult Clients
Records relating to adult counselling, psychotherapy, hypnotherapy, consultations, assessments, and associated services are generally retained for:
8 years following the end of the professional relationship.
Clients Under 18
Records relating to clients under 18 receiving services through HeadFirst Hypnotherapy® are generally retained until:
Age 25; or
Age 26 where services ended at age 17.
Financial Records
Financial records are generally retained for:
6 years
in accordance with accounting, tax, and regulatory requirements.
Retention periods may be extended where necessary to comply with legal, safeguarding, insurance, regulatory, professional, or risk-management obligations.
Once retention periods expire, information will be securely deleted, destroyed, anonymised, or otherwise disposed of appropriately.
18. Your Rights
Under UK data protection legislation, including UK GDPR, you have the right to:
Request access to your personal data
Request correction of inaccurate or incomplete information
Request erasure of personal data where appropriate
Request restriction of processing in certain circumstances
Object to processing in certain circumstances
Request portability of your data where applicable
Withdraw consent where processing relies upon consent
Lodge a complaint with the Information Commissioner's Office (ICO)
Requests relating to personal data should preferably be made in writing via email.
I will normally respond to valid requests relating to personal data within one month of receipt in accordance with applicable UK data protection legislation.
Where permitted by law, this period may be extended where requests are complex, multiple requests have been received, further clarification is required, or additional time is otherwise permitted under applicable legislation. Where an extension is required, I will notify you accordingly.
Where clarification is required to identify the information requested or to verify identity, response timeframes may be paused until sufficient clarification has been received.
Subject Access Requests
Subject Access Requests (SARs) will be handled using reasonable and proportionate searches of relevant systems, records, correspondence, and practice management systems.
Certain information may be withheld where permitted by law, including where disclosure would adversely affect the rights and freedoms of others, where legal exemptions apply, or where disclosure would be inconsistent with applicable professional, safeguarding, legal, or regulatory obligations.
Where permitted by law, requests that are manifestly unfounded, excessive, repetitive, or unreasonable may be refused or may be subject to a reasonable administrative fee.
19. Complaints About Data Handling
If you have concerns regarding how your personal data has been collected, stored, used, processed, or handled, please contact me in the first instance.
I will aim to investigate concerns appropriately and respond within a reasonable timeframe.
You also have the right to raise concerns directly with:
Information Commissioner's Office (ICO)
Making a complaint will not affect any other legal rights you may have.
20. Reviews and Testimonials
If you choose to leave a review or testimonial on platforms such as Google, social media platforms, professional directories, or other third-party websites:
The information may be publicly visible
I do not control third-party platforms
Third-party privacy policies may apply
You should avoid sharing sensitive personal, clinical, therapeutic, counselling, psychotherapy, or health-related information publicly
Where appropriate, I may refer to publicly available reviews or testimonials for marketing, promotional, educational, or business purposes.
By publishing a public review or testimonial, you acknowledge that information you choose to disclose may be visible to others and may remain publicly accessible even if subsequently removed from my own marketing materials.
21. CCTV
CCTV is in operation at my property for security, safety, crime prevention, and property protection purposes.
This may include:
Driveway areas
External entrances
External areas immediately surrounding the property
CCTV is not used for counselling, psychotherapy, hypnotherapy, assessment, consultation, or therapeutic purposes.
Footage:
Is not routinely monitored
Is stored securely
Is only accessed where reasonably necessary
Is typically deleted within approximately 48 hours unless required for security, safeguarding, legal, insurance, or evidential purposes
Where CCTV footage contains personal data, it will be processed in accordance with applicable data protection legislation.
22. Cookies and Website Analytics
My websites may use cookies and similar technologies to:
Improve website functionality
Analyse website usage
Enhance user experience
Support website security and performance
This Privacy Policy applies to websites operated under my trading names, including:
My websites may use analytics tools, such as Google Analytics, to help me understand website usage and improve website functionality and performance.
Information collected through analytics tools is generally aggregated and does not directly identify individual users.
Where required by applicable legislation, cookie consent mechanisms will be provided.
You can manage cookie preferences through your browser settings.
Third-party services embedded within my websites may also place cookies in accordance with their own privacy and cookie policies.
23. Automated Decision-Making and Artificial Intelligence
I do not use automated decision-making or profiling that produces legal effects or similarly significant effects for clients or prospective clients.
Any decisions relating to suitability, service provision, safeguarding, referrals, risk management, appointments, or therapeutic services are made by me as a human practitioner exercising professional judgement.
I may use technology, software systems, or artificial intelligence-assisted tools to support the administration, operation, communication, marketing, or management of my practice.
However, I do not rely solely upon automated systems or artificial intelligence to make decisions regarding an individual's suitability, care, safeguarding, risk management, referrals, or provision of services without appropriate human involvement and professional oversight.
24. External Links
My websites, emails, communications, resources, directories, or social media content may contain links to external websites, services, or resources.
I am not responsible for the content, security, privacy practices, availability, or policies of third-party websites or services.
Accessing third-party websites is done at your own risk and you should review their privacy policies before providing personal information.
The inclusion of any external link does not imply endorsement of the content, services, organisations, or privacy practices of any third party.
25. Updates to This Privacy Policy
This Privacy Policy may be updated periodically to reflect:
Operational changes
Service changes
Regulatory developments
Legal requirements
Technological developments
Changes to professional standards
Changes to practice procedures
The most recent version will always be available via the relevant website(s).
Where appropriate, significant changes may also be communicated through email, practice management systems, or other reasonable means.
Continued use of my services, websites, systems, or communications following publication of an updated Privacy Policy may be treated as acceptance of the revised version.
26. Contact Details
Data Controller:
Andrew Robin Selway
Trading as:
HeadFirst Hypnotherapy®
Andrew Selway Counselling & Psychotherapy
Websites:
www.andrewselwaytherapy.co.uk
Email Addresses:
andy@headfirsthypnotherapy.co.uk (HeadFirst Hypnotherapy)
andrew@andrewselwaytherapy.co.uk (Andrew Selway Counselling & Psychotherapy
ICO Registration Number:ZB630728
If you have any questions about this Privacy Policy, your personal data, your rights under applicable data protection legislation, or how your information is processed, please contact me using the details above.
I will endeavour to respond to privacy-related enquiries within a reasonable timeframe.